Local media report the breach affected 5,454 vascular and thoracic patients at Sentara hospitals in Virginia seen between 2012 and 2015. According to a news release from Sentara, the accessed information may have included patients’ names, medical record numbers, dates of birth, social security numbers, procedure information, demographic information and medications.

The news release says Sentara was notified of the breach on Nov. 17. The company has provided written notice to those affected and established a toll-free number for patients with questions.

Sentara says it is working with law enforcement, the vendor and a cybersecurity firm to investigate.